b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nVOICE OVER INTERNET PROTOCOL CONTRACT\n\n     December 2010   A-14-09-19045\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      December 28, 2010                                                                     Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Voice over Internet Protocol Contract\n           (A-14-09-19045)\n\n\n           OBJECTIVE\n           Our objectives were to determine whether (1) Nortel Government Solutions,\n           Incorporated, (Nortel) 1 adhered to the negotiated contract terms; (2) Social Security\n           Administration (SSA) personnel properly administered and managed the contract; and\n           (3) SSA implemented appropriate security measures in the Agency\xe2\x80\x99s Enterprise-Voice\n           over Internet Protocol (VoIP) system to ensure protection from external threats.\n\n           BACKGROUND\n           VoIP is the delivery of voice communications over certain networks, such as the\n           Internet. According to SSA, VoIP will allow the Agency to fully integrate its telephone\n           systems and computer network to provide a consolidated communications platform.\n           VoIP has the same security issues associated with any Internet application. The same\n           aspects that make the VoIP software model so powerful\xe2\x80\x94its flexibility, openness, and\n           distributed design\xe2\x80\x94are also what make it vulnerable.\n\n           The SSA VoIP contract number SS00-07-60066 provides support for the\n           implementation of SSA\xe2\x80\x99s Telephone Systems Replacement Project (TSRP). On\n           July 30, 2007, SSA awarded a contract to Nortel 2 to provide hardware, software,\n           equipment installation, maintenance, and professional services necessary to install,\n           integrate, and manage the VoIP Solution agencywide. 3 This includes 4 Service Delivery\n\n\n           1\n            During our review, Avaya Government Solutions, Incorporated, acquired Nortel. Avaya is the Agency\xe2\x80\x99s\n           current vendor for the TSRP.\n           2\n               The initial contract award was protested. Nortel prevailed and funds were obligated on March 5, 2008.\n           3\n            The \xe2\x80\x98VoIP Solution\xe2\x80\x99 will be implemented agencywide with the exception of Headquarters and the\n           Commissioner\xe2\x80\x99s Office in Washington, D.C.\n\x0cPage 2 - The Commissioner\n\n\nPoints (SDP), 4 10 regional offices, 6 processing centers, an Automated Test Facility\n(ATF), a Voice Network Operations Center (VNOC), and 1,565 field offices.\n\nThe contract period of performance is 1 base year and 9 option years. The contract\nwas awarded based on a \xe2\x80\x9cbest value\xe2\x80\x9d 5 to the Government analysis and is valued up to\n$300 million. Goods and services needed for deliverables under the VoIP contract are\nobtained by an SSA task order. Each task order is an indefinite delivery, indefinite\nquantity contract. 6 As of June 30, 2009, 7 479 task orders had been issued; more than\n$69 million had been obligated; 58 invoices, totaling about $31 million, had been paid;\nand approximately 200 VoIP installations had been completed. 8, 9\n\nWe examined the contract and associated invoices. We interviewed staff in SSA\xe2\x80\x99s\nOffices of Budget, Finance and Management, and Telecommunications and Systems\nOperations. We also contacted Headquarters and field office staff regarding the work\nperformed onsite by contractor personnel.\n\nDuring our review, we obtained information that indicated SSA paid more than $1 million\nfor equipment and software for which we could not substantiate actual installation. In\naddition, Nortel installed more than $500,000 in equipment and software for which we\ncould not obtain documentation that the items had actually been ordered. We issued a\nmemorandum 10 to the Agency that discussed these issues. The Agency has taken\naction on our memorandum suggestions. See Appendix B for additional background\ninformation. See Appendix C for more information on our scope and methodology.\n\n\n\n\n4\n    An SDP is a facility where VoIP calls are processed.\n5\n \xe2\x80\x9cBest value\xe2\x80\x9d to the Government is the expected outcome of an acquisition that, in the Government\xe2\x80\x99s\nestimation, provides the greatest overall benefit in response to the requirement. Federal Acquisition\nRegulation (FAR) \xc2\xa7 2.101, 48 C.F.R. 2.101.\n6\n An indefinite delivery, indefinite quantity contract is an acquisition tool that is used to acquire goods and\nservices when the exact times and exact quantities of future deliveries are not known at the time of\ncontract award. This type of contract is also known as a delivery order or \xe2\x80\x9ctask order\xe2\x80\x9d contract. Id.\n7\n    As of June 30, 2009, the contract had 58 invoices paid and included 1 year of contract invoices.\n8\n Completed installations included 3 SDPs, the ATF, the VNOC, the Birmingham, Alabama, Southeastern\nProgram Service Center (SEPSC), and 192 field offices.\n9\n  As of May 2010, 530 task orders had been issued, nearly $127 million had been obligated, 193 invoices\ntotaling almost $58 million had been paid, and 619 VoIP installations had been completed.\n10\n     SSA OIG, The Social Security Administration\xe2\x80\x99s Voice over Internet Protocol Contract, March 12, 2010.\n\x0cPage 3 - The Commissioner\n\n\nRESULTS OF REVIEW\nWe found Nortel generally adhered to the negotiated contract terms, except for\ninstances in which:\n\n\xe2\x80\xa2 Nortel received payment for VoIP equipment and software that was not installed.\n\xe2\x80\xa2 Nortel installed VoIP equipment and software that was not ordered.\n\nSSA provided administrative oversight and accountability on the VoIP contract, except\nfor instances in which:\n\n\xe2\x80\xa2 SSA did not properly account for equipment and software acquired under the\n  contract in a property inventory management system.\n\n\xe2\x80\xa2 SSA errors resulted in overstated task order costs, causing invoice overpayments.\n\n\xe2\x80\xa2 SSA received VoIP functionality; however, some customer service issues remained.\n\nThe Agency documented and implemented appropriate security measures for the VoIP\nequipment at the SDPs to ensure protection from external threats.\n\nNORTEL RECEIVED PAYMENT FOR VOIP EQUIPMENT AND SOFTWARE THAT\nWAS NOT INSTALLED\n\nWhen Nortel deviated from task order terms, management controls did not prevent the\npayment of invoices. In 6 11 of 23 task orders reviewed, Nortel did not have SSA\xe2\x80\x99s\napproval when it installed lesser or greater quantities of equipment and software\nordered. Nortel personnel explained that the difference between the items ordered and\nthe items installed resulted from changes in VoIP technology that had taken place while\nthe contract was under protest. 12 Nortel did not communicate the changes in individual\ntask order line item quantities installed to the Contract Officer (CO) or the TSRP\nProgram Management Office (PMO). 13 As a result, required contract modifications\nwere not made to ratify deviations from task order quantities; SSA paid for equipment\nthat we could not substantiate as being installed; and Nortel installed equipment where\nSSA could not provide documentation that it approved these changes.The TSRP PMO\nfunctions as the day-to-day technical liaison between the contractor and the CO. The\nTSRP PMO responsibilities include monitoring contractor compliance, ensuring all\nservices and materials have been received in accordance with contract terms, and\nnotifying the CO of any changes in contractor performance. Although the TSRP PMO\nwas required to monitor contractor compliance with the contract terms, the TSRP PMO\n11\n     The six task orders are numbered 2, 3, 4, 5, 7, and 9.\n12\n   A protest was lodged against the initial contract awarded in July 2007. The protest period extended\nthrough March 2008 when Nortel prevailed.\n13\n     The VoIP contract TSRP PMO is the Division of Integrated Telecommunications Management.\n\x0cPage 4 - The Commissioner\n\n\ndid not sufficiently monitor contractor performance to ensure that task order quantities\nordered for non-field office installations 14 were actually installed.\n\nMoreover, the VoIP contract stipulates that invoice payment is contingent upon\nacceptance 15 by SSA. When a site installation has achieved a successful acceptance\ntest result, the contractor submits an Installation Completion Notice (Notice) to the\nTSRP PMO. The Notice represents an assertion by the contractor that the installation\nwas completed according to the terms and conditions of the contract and task order(s).\nThe TSRP PMO uses the Notice to attest to the receipt and completion of all services\nand materials for a particular task order and as the basis for approving payment of the\ntask order invoice when submitted.\n\nTSRP PMO contract monitoring was ineffective because it did not ensure that the\ncontractor adhered to the terms of the contract. SSA paid more than $1 million for\nequipment and software for which we could not substantiate actual installation. For\nexample, on task order number 4 for the Richmond SDP, SSA ordered and paid for 33\nContract Line Item Number (CLIN) 215130 items and their installation. According to\nNortel inventory records provided for this site, only 14 items were installed. The net\neffect for this item at this location is that SSA overpaid the contractor $97,904. 16\n\nTo address overpayments made, SSA should determine the actual variance between\nquantities ordered and paid for versus installed quantities and seek recovery for any\npayments made for equipment and software not installed.\n\nNORTEL INSTALLED VOIP EQUIPMENT AND SOFTWARE THAT WAS NOT\nORDERED\n\nFurther, we could not resolve whether SSA actually ordered more than $500,000 in\nequipment and software installed by Nortel. . For example, on task order number 2,\nSSA ordered and paid for 65 CLIN 200010 items and their installation. According to\nNortel inventory records provided for the Baltimore SDP, 85 of these items were\ninstalled. The net effect for this item at this location is that 20 items, valued at\n$41,558, 17 were installed in excess of what was ordered. In addition, on task order\nnumber 5, SSA ordered and paid for 18 CLIN 200300 items and their installation.\nAccording to Nortel inventory records provided for the Kansas City SDP, 24 CLIN\n\n14\n  Non-field office installations during our audit period included the three SDPs, the ATF, the VNOC, and\nthe SEPSC.\n15\n   Acceptance is deemed to have been achieved when a site\xe2\x80\x99s system has operated continuously without\nfailure for a period of 30 consecutive days.\n16\n  The contract unit cost for CLIN 215130 is $3,267.07. The installation cost for this unit is $1,885.80.\nThe total cost was calculated as (19 x $3,267.07= $62,074.33) plus (19 x $1,885.80= $35,830.20) =\n$97,904.53.\n17\n   The contract unit cost for CLIN 200010 is $1,134.40. The installation cost for this unit is $943.49. The\ntotal cost was calculated as (20 x $1,134.40= $22,688) plus (20 x $943.49= $18,870) = $41,558.\n\x0cPage 5 - The Commissioner\n\n\n200300 items were installed. The net effect for this item at this location is that six items,\nvalued at $41,890, 18 were installed in excess of what was ordered. Further, on task\norder number 4, SSA ordered and paid for one CLIN 714350 item. According to Nortel\ninventory records provided for the Richmond SDP, 12 of these items were installed.\nThe net effect for this item at this location is that 11 items, valued at $35,255, 19 were\ninstalled in excess of what was ordered. The total net effect for these three items is\nmore than $110,000.\n\nAs of the date of our review, the CO had not approved these contract deviations in the\nform of task order modifications. To strengthen controls to ensure that the contractor\nadheres to the contract terms, we recommend SSA reconcile task orders and\ninstallation quantities as an additional acceptance requirement before paying future\nVoIP invoices. Further, before the contractor\xe2\x80\x99s non-performance or performance of\nwork outside a task order, a contract modification must be prepared and ratified.\n\nSSA DID NOT PROPERLY ACCOUNT FOR VOIP EQUIPMENT AND SOFTWARE IN\nA PROPERTY INVENTORY MANAGEMENT SYSTEM\n\nNearly $18 million in equipment and software purchased under SSA contract\nSS00-07-60066 had not been accounted for in an SSA property management inventory\nsystem. According to SSA\xe2\x80\x99s Administrative Instructions Manual System (AIMS),\nMateriel Resource Manual (MRM) section 04.01, equipment and software can be\nclassified in one of three property categories.\n\n\xe2\x80\xa2     Property with an aggregate acquisition cost of $100,000 or more is defined as\n      capitalized property. 20\n\xe2\x80\xa2     Accountable property 21 is defined as the end item 22 of personal property with an\n      aggregate acquisition value of $3,000 23 to $99,999.\n\n\n\n18\n  The contract unit cost for CLIN 200300 is $3,811.58. The installation cost for this unit is $3,170.12.\nThe total cost was calculated as (6 x $3,811.58= $22,869) plus (6 x $3,170.12= $19,021) = $41,890.\n19\n  The contract unit cost for CLIN 714350 is $3,205.03. There was no installation cost involved with this\nacquisition. The total cost was calculated as 11 x $3,205.03= $35,255.\n20\n  AIMS, \xc2\xa7 04.01.03 defines capitalized property as \xe2\x80\x9c\xe2\x80\xa6personal property that has an acquisition value of\n$100,000 or more and is recorded in the SSA General Ledger Accounts.\xe2\x80\x9d\n21\n  AIMS, \xc2\xa7 04.01.03 defines accountable property as \xe2\x80\x9cThe end item of personal property with an\naggregate acquisition value of $3,000 to $99,999 including property owned, leased or otherwise under\nGovernment control.\xe2\x80\x9d \xe2\x80\x9cAll personal property within the accountable dollar threshold must be recorded in a\nsystem to be maintained by the Property Accountable Officer.\xe2\x80\x9d\n22\n     AIMS \xc2\xa7 04.01.03 defines end item as \xe2\x80\x9c\xe2\x80\xa6an item of equipment that is not part of a larger item.\xe2\x80\x9d\n23\n  At the time of our audit, the lower dollar threshold for accountable property was $1,000. However, on\nApril 10, 2010, the lower dollar threshold in AIMS section 04.01.03 was increased to $3,000.\n\x0cPage 6 - The Commissioner\n\n\n\xe2\x80\xa2    Property costing less than $3,000 that is not subject to an annual inventory and is\n     not considered sensitive property must be controlled through the acquiring\n     component\xe2\x80\x99s custodial property records.\n\nA common factor shared by all three property categories is that property must be\naccounted for and recorded in a property management inventory system.\n\nWe reviewed SSA\xe2\x80\x99s Sunflower System 24 property management records for the 14 sites\nassociated with our sample of 15 paid invoices. We found that the Sunflower system\nproperty management records had not been updated to include VoIP equipment\ninstalled at any of the 14 locations.\n\nWe also contacted 10 field office sites to determine whether component custodial\nproperty records had been updated to account for VoIP acquisitions costing less than\n$3,000. One of 10 field offices responded that changes were made to its custodial\nproperty records for VoIP equipment that was installed at that site.\n\nSince SSA did not comply with its inventory policies and procedures, the Agency\xe2\x80\x99s\ninventory systems did not provide sufficient records of VoIP equipment. We\nrecommend that the Agency adhere to its own policies and procedures to account for\nequipment and software acquired under the VoIP contract in a property management\nsystem.\n\nSSA ERRORS RESULTED IN INVOICE OVERPAYMENTS\n\nOur review of 15 sample Nortel invoices paid during the review period identified invoice\noverpayments of approximately $46,000. The invoice overpayments resulted from\nerrors made in calculating several individual task order amounts. For example,\nmodification number 1 to task order number 5 was overstated by $25,839. 25 Nortel\nbilled SSA the total amount indicated on each task order. Nortel invoices did not always\ncomply with contract invoice requirements26 that the invoices contain specific\ninformation as to what was billed (for example, amounts billed line item by line item).\n\n\n\n24\n  The Sunflower System is a database the Agency uses to account for equipment considered sensitive\nand equipment with an acquisition cost that falls within the range of $3,000 to $99,999. See generally,\nSSA, AIMS - MRM, 4.04 (April 12, 2010).\n25\n  Contract modification number 1 for task order number 5 for CLINs 759660 and 759670 were priced at\n$7,995 and $1,995, respectively. According to the contract pricing tables, the correct unit prices are\n$5,478 and $1,361, respectively. The effect of using the incorrect unit prices for this modification is that\nthe modification was overstated by $25,839. The total cost was calculated as ($7,995-$5,478= $2,517 x\n8= $20,136) plus ($1,995-$1,361.28= $633.72 x 9= $5,703) = $25,839.\n26\n   According to Section G.1 (i) of the VoIP contract, \xe2\x80\x9cAll contractor submitted invoices must include the\nContractor\xe2\x80\x99s TIN, DUNS number; Contract Number; specific Task/Delivery Order Number; CLINs being\ninvoiced for; site code of the Agency site having received delivery of the respective CLIN(s); and the date\nof Government acceptance for the respective CLIN(s).\xe2\x80\x9d\n\x0cPage 7 - The Commissioner\n\n\nWe reviewed other task orders to determine whether similar errors were made. We\nidentified an additional error on task order number 7 that was not paid within the audit\nperiod that resulted in an additional overpayment of more than $13,000. We\nrecommend that contract modifications be executed to account for the task order errors\nthat resulted in invoice overpayments and that SSA seek recovery from Nortel of\nabout $60,000.\n\nSSA ACHIEVED VOIP PERFORMANCE AND FUNCTIONALITY, BUT SOME\nCUSTOMER SERVICE ISSUES REMAIN\n\nFor the VoIP sites reviewed, SSA received planned VoIP performance and functionality.\nAs indicated in the chart below, as more installations were completed, the average\nnumber of days to achieve site performance and functionality decreased (from 197 days\nto 46 days). VoIP performance and functionality was based on the total number of days\nrequired for each site to achieve 30 consecutive days without failure. 27 SSA did not pay\nan invoice until VoIP functionality was achieved through the acceptance process. 28\n\n\n\n\n27\n   The installations that occurred in August 2008 involved three SDP locations, the ATF, the SEPSC, and\na VNOC. No installations were completed in September 2008. The installations during the October 2008\nto April 2009 period involved 120 of 192 field office locations where VoIP was installed. Discussions with\nAgency officials disclosed that the date of acceptance on individual installation completion notices may\nnot reflect the actual date of acceptance. However, we were unable to verify this information.\n28\n   According to Section G.1 (b) of the VoIP contract, payment shall be made when acceptance, as\ndescribed in contract Section E - Inspection and Acceptance is achieved. Final formal acceptance is\ndeemed to have been achieved after 30 consecutive days of successful uninterrupted performance of a\nsite\xe2\x80\x99s VoIP system.\n\x0cPage 8 - The Commissioner\n\n\n\n                            VoIP Site Functionality & Performance\n                              240\n\n                              210\n\n                              180\n     DAYS TO ACCEPTANCE\n\n\n\n\n                              150\n\n                              120\n\n                               90\n\n                               60\n\n                               30\n\n                                0\n                                    Aug   Oct          Nov   Dec   Jan   Feb          Mar   Apr\n                                                2008                           2009\n                          Average   88    197          170   137   110   77           62    46\n                          Minimum   87    180          146   108   83    60           42    43\n                          Maximum   92    214          214   148   155   86           82    47\n\n\nAlthough SSA achieved VoIP functionality and performance, when we attempted to\ncontact sampled field offices where VoIP had been installed, we encountered long wait\ntimes, disconnected or dropped calls, poor sound quality, and difficulty when navigating\nthe telephone menu tree. We inquired whether the offices had received customer\ncomments about the new telephone system. Four of the five offices replied that they\nhad received negative comments. In addition, office staff had been experiencing some\ntechnical issues. If field office feedback and our experiences are representative of VoIP\nfunctionality, this raises concerns about the level of customer service provided to\nindividuals calling SSA field offices.\n\nSubsequent to our review, the Agency provided additional information on the impact of\nVoIP on field office customer service. Based on our examination of this information, we\nwill not perform an additional review of field office customer service at this time. 29\n\n\n\n\n29\n  We reviewed the Fiscal Year 2006 and 2010 Field Office Telephone Service Replacement Project\nSurvey(s) as well as Office of Quality Performance surveys of SSA\xe2\x80\x99s telephone system.\n\x0cPage 9 - The Commissioner\n\n\nSSA IMPLEMENTED VOIP SECURITY AT THE SDPS\n\nThe Agency documented and implemented appropriate security measures for the VoIP\nequipment at its SDPs to ensure protection from external threats. SSA implemented\nsystems and communication protections. This included denial of service protection,\ntransmission confidentiality, and malicious code protection. In addition, the Agency\nimplemented access control features to prevent unsuccessful login attempts.\n\nSSA\xe2\x80\x99s VoIP application at the SDPs was configured to provide only essential\ncapabilities as required. Audit and accountability features were implemented and the\ncontent of the audit logs met federal standards. 30 The alternate storage site, alternate\nprocessing site, and alternate telecommunications services for VoIP met NIST\nrequirements. 31 The Agency should continue to implement cost beneficial security\ncontrols as needed.\n\nCONCLUSION AND RECOMMENDATIONS\nDuring our review, we met with Agency representatives to discuss the issues identified\nin the OIG memorandum issued in March 2010. Subsequently, the Agency initiated\naction to address those issues. SSA\n\n\xe2\x80\xa2      conducted physical inventories of VoIP equipment and software at non-field office\n       locations;\n\xe2\x80\xa2      met with Nortel to negotiate inventory differences;\n\xe2\x80\xa2      notified the Office of Acquisition and Grants of the need to process task order\n       modifications for acceptable differences; and\n\xe2\x80\xa2      sought recovery for items paid for that were not installed.\n\nAccording to SSA, telephone media is the preferred method used by its customers to\nconduct business. To ensure that the Agency receives the services it has paid for, it is\nimperative that SSA effectively and efficiently manage the VoIP contract. We\nrecommend SSA:\n\n1. Continue to conduct VoIP physical inventories and reconcile the inventory results\n   with quantities ordered on task orders. If variances exist, execute task order\n   modifications for acceptable differences and seek recovery for overpayments.\n2. Continue to perform reconciliation between ordered and installed quantities as an\n   additional contract acceptance condition prior to the payment of future VoIP\n   invoices.\n\n\n30\n National Institute of Standards and Technology (NIST) Special Publication 800-58, Security\nConsiderations for VoIP Systems, January 2005.\n31\n     Ibid.\n\x0cPage 10 - The Commissioner\n\n\n3. Appropriately account for equipment and software acquired under the VoIP contract\n   in a property management inventory system.\n4. Execute contract modifications to account for the task order errors that resulted in\n   invoice overpayments and seek recovery from Nortel of approximately $60,000.\n5. Continue to work with Nortel to address customer service issues.\n6. Continue to implement cost beneficial security controls, as needed.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with all six recommendations. See Appendix E for the full text of SSA\xe2\x80\x99s\ncomments.\n\nOTHER MATTERS\nDuring our review, we noted that several contractor employees were allowed to work\nunder the contract without proper clearance. Two Nortel employees had access to\nSSA\xe2\x80\x99s network but did not have the appropriate security clearance to work under the\nVoIP contract. In addition, another contractor employee had administrative access 32 to\nthe Baltimore SDP VoIP communication server who did not have appropriate clearance.\nFederal standards recommend agencies manage information systems accounts by\nhaving appropriate clearance before granting access to its information systems.33\n\nAlthough these employees did not have appropriate clearance, we did not find that the\nintegrity or availability of the VoIP system had been compromised. This issue will be\naddressed in a future review.\n\n\n\n\n                                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n32\n  Administrative access can be defined as the entity or individuals responsible for overseeing access to\ncorporate information technology resources.\n33\n  NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems,\npage F-3, December 2007.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Additional Background Information\n\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX D \xe2\x80\x93 Sampling Methodology\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nAIMS     Administrative Instructions Manual System\nATF      Automated Test Facility\nCLIN     Contract Line Item Number\nCO       Contract Officer\nIP       Internet Protocol\nMRM      Materiel Resources Manual\nNIST     National Institute of Standards and Technology\nNortel   Nortel Government Solutions, Incorporated\nNotice   Installation Completion Notice\nPBX      Private Branch Exchange\nPMO      Program Management Office\nROCC     Remote Operation Control Center\nSDP      Service Delivery Point\nSSA      Social Security Administration\nTSRP     Telephone Systems Replacement Project\nVNOC     Voice Network Operations Center\nVoIP     Voice over Internet Protocol\n\x0c                                                                                                         Appendix B\nAdditional Background Information\nThe Agency\xe2\x80\x99s Previous Telephone System\n\nCALL FLOW\n\nIncoming calls from the public were routed through public telephones to lines leased to\nthe Social Security Administration (SSA) on a monthly basis from a telephone carrier.\nThe field office system answers the call with a recorded greeting, plays a menu of\nconnection options to the caller, and then routes the call appropriately within the field\noffice. See Figure B-1.\n\n\n\n                                                  Public Telephone Network\n\n\n\n                                  Field Office                                         Field Office\n                               Call Control and                                     Call Control and\n                                 Processing:                                          Processing:\n                               Call Treatment /      PBX                            Call Treatment /\n                                                                                                       PBX\n                                Queue/ Voice                                         Queue/ Voice\n                                      Mail                                                 Mail\n\n\n\n\n       Field Office                                            Field Office                                  Field Office\n    Call Control and                                       Call Control and                              Call Control and\n      Processing:                                            Processing:                                   Processing:\n    Call Treatment /   PBX                                 Call Treatment /   PBX                                           PBX\n                                                                                                         Call Treatment /\n     Queue/ Voice                                           Queue/ Voice                                  Queue/ Voice\n           Mail                                                   Mail                                          Mail\n\n\n\n                             Figure B-1 \xe2\x80\x93 Agency\xe2\x80\x99s Previous Telephone Configuration\n\nHARDWARE\n\nEach of the Agency\xe2\x80\x99s sites was equipped with a stand-alone Private Branch Exchange\n(PBX). 1 The PBX systems were of different manufacturers with on-site technicians\nproviding maintenance support. The PBX systems were connected to the local Public\nTelephone Network or operating on a General Services Administration telephone\nswitching system.\n1\n A PBX makes connections among the internal telephones of an organization and connects them to a\npublic telephone network for both incoming and outgoing calls. Large sites had their own PBX, while\nsmaller sites shared a PBX.\n\n\n                                                                   B-1\n\x0cThe PBX systems handled a variety of operations beyond connection to the public\ntelephone system. 2 Not all these features were available on every PBX; some features\nwere purchased through add-on modules (such as overhead paging systems).\nFeatures that were not implemented agencywide included automatic call distribution,\nintegrated voice messaging, conferencing multiple outside calls, detailed real-time\nsystem monitoring, and management information.\n\nSSA\xe2\x80\x99s New Telephone System\nWHY THE AGENCY SELECTED VOICE OVER INTERNET PROTOCOL\n\nBased on SSA\xe2\x80\x99s Telephone Systems Replacement Project (TSRP) statement of work,\nthe Agency developed strategic plans for the future of its core network systems. A\ncommon theme in all the strategic plans was the use of Internet Protocol (IP) as the\nunderlying technology. The existing PBX systems were at the end of their life-cycle and\nwould need to be replaced since existing support for them was diminishing. Since there\nwere many different manufacturers, the PBXs did not provide consistent functionality\nacross the Agency.\n\nTSRP replaced the Agency\xe2\x80\x99s end-of-life telephony systems with a flexible infrastructure.\nUsing Voice over Internet Protocol (VoIP) provided an opportunity to converge SSA\xe2\x80\x99s\ntwo independent networks (data/voice), providing a consolidated communications\nplatform for consistency throughout the Agency. It also decreased telephone\ninfrastructure maintenance and operations; and provided greater availability, flexibility,\nand functionality.\n\nCALL FLOW\n\nIncoming calls from the public are routed to a pre-defined Service Delivery Point (SDP) 3\nusing a Federal Technology Service Toll-Free service. At the SDP, the incoming calls\nare converted to a VoIP call and the call processing and treatment functions are\nperformed. The call is then routed to the appropriate representative at the field office\nover the Agency\xe2\x80\x99s network (see Figure B-2).\n\n\n\n\n2\n  Some of the main functions were to answer calls with a custom business greeting; offer a menu of\noptions for directing the call; provide a directory of employee extensions; evenly distribute calls among\navailable employees through the automatic call distribution; place callers on hold and play music or\ncustom messages; voice messaging; transferring calls between extensions; detailed call records and real-\ntime system management; and internal in-phone or overhead paging.\n3\n SDPs are located at the National Computer Center; Second Support Center; the Remote Operations\nControl Center (ROCC) in Richmond, California; and the ROCC in Kansas City, Missouri.\n\n\n                                                  B-2\n\x0c                                          Public Telephone Network\n\n\n                         Failover                                                      Failover\n\n        Richmond SDP                  Kansas City SDP                 Baltimore SDP                  Durham SDP\n\n   Call Control and             Call Control and                 Call Control and             Call Control and\n                                                                   Processing:                  Processing:\n     Processing:                  Processing:\n                                                                 Call Treatment /             Call Treatment /\n   Call Treatment /             Call Treatment /                                               Queue/ Voice\n    Queue/ Voice                 Queue/ Voice                     Queue/ Voice\n                                                                                                     Mail\n          Mail                         Mail                             Mail\n\n\n\n\n                                                   SSA Network\n\n\n\n\n  Field Office         Field Office         Field Office         Field Office         Field Office       Field Office\n\n\n\n\n                                 Figure B-2- TSRP Solution Configuration\n\nHARDWARE\n\nWith TSRP, the Agency uses centralized call processing equipment and software at the\nSDPs and uses SSA\xe2\x80\x99s existing local area network and wide area network. With this\ndesign, all sites are interconnected by two, independent networks from two different\ncarriers. This network carries all data, video, and voice traffic. Hardware at the field\noffices is composed of IP phones and network equipment for inbound and outbound\nconnectivity if the network connection to the SDPs is lost.\n\nAVAILABILITY\n\nThe SDPs perform the call processing, voice mail, Interactive Voice Response, and\nautomatic call distribution. Each SDP is a designated backup for all VoIP functions, with\nfull failover if there is a failure at the primary SDP. Telephone calls from or to a field\noffice could be blocked and then rerouted if the bandwidth at the location is exceeded or\nis not operational.\n\n\n\n\n                                                           B-3\n\x0cAt the SDPs, the TSRP solution is capable of transferring incoming calls to the Agency\xe2\x80\x99s\nNational 800 Number Network facility (where it converts to the Network\xe2\x80\x99s analog lines)\nin the event a field office is not operational. This feature can be used to provide\ncontinuation of services for all general inquiry calls to a field office via the Agency\xe2\x80\x99s\nNational 800 Number Network. The TSRP solution is configured so that field offices\nhave access to Emergency 911 and 411 calls using the traditional analog lines in case\nof a failure that disables the field office\xe2\x80\x99s ability to receive services from the SDPs (for\nexample, network outage).\n\n\n\n\n                                            B-4\n\x0c                                                                                  Appendix C\n\nScope and Methodology\nTo accomplish our objectives, we\n\xe2\x80\xa2     reviewed applicable Federal laws and regulations and applicable Social Security\n      Administration (SSA) policies and procedures;\n\xe2\x80\xa2     reviewed the SSA/Nortel Contract Number SS00-07-60066;\n\xe2\x80\xa2     interviewed Agency staff;\n\xe2\x80\xa2     reviewed and observed Agency contract management processes;\n\xe2\x80\xa2     examined all sample invoice task orders and associated modifications;\n\xe2\x80\xa2     selected and tested 15 of 58 invoices paid as of June 30, 2009;\n\xe2\x80\xa2     obtained, documented, and examined additional information relevant to our review;\n\xe2\x80\xa2     contacted SSA personnel at locations where Voice over Internet Protocol\n      installations occurred;\n\xe2\x80\xa2     reviewed documentation for security related to denial of service protection, malicious\n      code protection, access control, audit and accountability, transmission\n      confidentiality, and contingency planning; and\n\xe2\x80\xa2     examined server configuration settings, audit logs, and user access controls.\n\nWe performed audit work at field office locations,1 service delivery points,2 the National\nComputer Center, 3 and SSA Headquarters4 between May 2009 and April 2010. The\nprincipal entities audited were SSA\xe2\x80\x99s Offices of Acquisition and Grants, and\nTelecommunications and Systems Operations.\n\nWe conducted this audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n1\n The field offices contacted were New Britain, Connecticut; Owings Mills, Maryland; El Paso, Texas;\nPhiladelphia, Pennsylvania; Dallas, Texas; Jericho, New York; Los Angeles, California; Hampton,\nVirginia; Greenwood, South Carolina; and the Southeastern Program Service Center in Birmingham,\nAlabama.\n2\n The service delivery point sites are in Baltimore, Maryland; Richmond, California; Durham, North\nCarolina; and Kansas City, Missouri.\n3\n The National Computer Center in Woodlawn, Maryland, contains the equipment for the Baltimore\nService Delivery Point and the Baltimore Voice Network Operations Center.\n4\n    The SSA Headquarters complex is located in Woodlawn, Maryland.\n\x0c                                                                                  Appendix D\n\nSampling Methodology\nWe selected 15 of 58 paid contractor invoices. The invoices selected represented\nabout $19 million of approximately $31 million in expenses that were incurred and paid\nunder the Social Security Administration contract SS00-07-60066 as of June 30, 2009.\nFive invoices were selected from the lowest, middle, and highest invoice cost range.\n\nTo accomplish our audit objectives, we determined whether\n\xe2\x80\xa2   contractor invoices matched or did not exceed in total the amount of the individual\n    task order(s);\n\xe2\x80\xa2   associated task orders were mathematically correct;\n\xe2\x80\xa2   task order unit prices adhered to contract pricing tables;\n\xe2\x80\xa2   contract pricing tables accurately reflected individual vendor discounts;\n\xe2\x80\xa2   contract modifications to the base contract and individual task orders were\n    accurately processed; and\n\xe2\x80\xa2   installation costs were only incurred for ordered equipment.\n\nWe also reviewed invoices to determine that they were:\n\xe2\x80\xa2   certified by the Contract Officer Technical Representative before payment;\n\xe2\x80\xa2   not paid before the receipt of goods and services; and\n\xe2\x80\xa2   paid in accordance with the Prompt Payment Act. 1\n\nThe 15 paid sample invoices were also used to select a sample of items of equipment\nand software that were acquired under the Voice over Internet Protocol (VoIP) contract.\nThere were 14 locations 2 associated with the 15 invoices where VoIP installations\noccurred. The objective of our test sample was to confirm that the equipment and\nsoftware ordered was actually installed. For each of the nine field offices, we selected\nthe five highest unit cost items acquired as our sample items. For the other\n5 installations, we selected the highest 25 unit cost items, but limited the selection to\n5 for any 1 item selected. For example, if nine of the same items were the highest unit\ncost items at a site, we only selected five of those items for our sample. Our test of\nequipment and software acquisitions also allowed us to confirm equipment installation\nand site implementation fee costs. In all, we sampled and tested approximately\n$6 million of the $31 million paid during the audit period.\n\n1\n The Prompt Payment Act of 1982, Pub. L. 97-177, 96 Stat. 85 (codified in scattered sections of\n31 U.S.C.).\n2\n The field offices contacted were New Britain, Connecticut; Owings Mills, Maryland; El Paso, Texas;\nPhiladelphia, Pennsylvania; Dallas, Texas; Jericho, New York; Los Angeles, California; Hampton,\nVirginia; Greenwood, South Carolina; and the Southeastern Program Service Center in Birmingham,\nAlabama. The service delivery point sites are located in: Baltimore, Maryland; Richmond, California; and\nKansas City, Missouri. The Voice Network Operations Center is located in Baltimore, Maryland.\n\x0c                  Appendix E\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      December 6, 2010                                                      Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Voice over Internet Protocol Contract\xe2\x80\x9d (A-14-09-19045)--INFORMATION\n\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Rebecca Tothero, Acting Director, Audit Management and Liaison Staff, at (410) 966-6975.\n\n           Attachment\n\n\n\n\n                                                         E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S VOICE OVER\nINTERNET PROTOCOL CONTRACT\xe2\x80\x9d (A-14-09-19045)\n\nGENERAL COMMENT\n\nWe have no issue with most of your findings, and agree to all six of your recommendations. We\nmust point out, however, that we face many complexities in managing the field office telephone\nservice replacement project (TSRP). Primary among these is the ever-changing nature of\ntechnology itself.\n\nWe begin our task order processes by assessing each office\xe2\x80\x99s individual needs; we then issue a\ntask order to fulfill those needs. Several months may pass between the time we place the order\nand actual delivery of goods. During the interim, new technologies often become available from\nthe same contractor \xe2\x80\x93 technologies that offer improved functionality over what we first ordered.\nIn those cases, we may opt for the new equipment; the equipment we originally ordered may no\nlonger be available; or a function that once required two pieces of equipment can now be handled\nby one.\n\nWe face these and other uncertainties as we roll-out TSRP to more than 1,300 field offices. We\ncannot predict exactly how technology will change, but we know it will, and deviations from the\noriginal task orders are inevitable. That notwithstanding, we recognize the importance of\nproperly managing this project. Therefore, we are acting to further improve our controls over\nacceptance and payment for equipment and services.\n\nOne other comment: On page 2 you state, \xe2\x80\x9cNortel may have installed more than $500,000 in\nequipment and software that had not been ordered.\xe2\x80\x9d We note this same \xe2\x80\x9cmay have\xe2\x80\x9d theme in\nother sections of the report \xe2\x80\x93 specifically pages 3 and 4. If your statements are not supported by\nfacts, we believe you should remove them; especially those statements citing dollar amounts.\n\nRESPONSES TO RECOMMENDATIONS\n\nRecommendation 1\n\nWe recommend that SSA continue to conduct Voice over Internet Protocol (VoIP) physical\ninventories and reconcile the inventory results with quantities ordered on task orders. If\nvariances exist, execute task order modifications for acceptable differences and seek recovery for\noverpayments.\n\nResponse\n\nWe agree. We have completed VoIP physical inventories and identified task order variances.\nWe will determine where there are acceptable differences between the equipment we originally\nordered versus what was delivered, and if necessary, we will execute task order modifications.\nWhere we accept equipment of greater value than stipulated in task orders, we may be liable for\n\n\n\n                                                E-2\n\x0chigher costs; in other situations, we may be entitled to refunds. Case by case, we will modify\ntask orders as appropriate and either make additional payments or seek refunds.\n\nRecommendation 2\n\nWe recommend that SSA continue to perform reconciliation between ordered and installed\nquantities as an additional contract acceptance condition prior to the payment of future VoIP\ninvoices.\n\nResponse\n\nWe agree. As equipment is delivered and installed, we will reconcile quantities ordered with\nquantities received and accepted. After the period of acceptance testing, usually 30 days, we will\ncertify final receipt where appropriate, and pay invoices.\n\nRecommendation 3\n\nWe recommend that SSA appropriately account for equipment and software acquired under the\nVoIP contract in a property management inventory system.\n\nResponse\n\nWe agree. We are conducting an inventory of the VoIP equipment and software we have\nreceived to date under the Nortel contract and will update our Sunflower property management\nsystem. We will continue to maintain an accurate inventory of our accountable property in\nSunflower once we certify final receipt and acceptance of equipment.\n\nRecommendation 4\n\nExecute contract modifications to account for the task order errors that resulted in invoice\noverpayments and seek recovery from Nortel of approximately $60,000.\n\nResponse\n\nWe agree. We reconciled differences and received a credit for $58,124.51.\n\nRecommendation 5\n\nWe recommend that SSA continue to work with Nortel to address customer service issues.\n\nResponse\n\nWe agree and already work routinely with Nortel to address customer service issues. The\nproblems you cite, however, are not indicative of our recent experience. We believe your\nexamples are outdated, and some of your findings are anecdotal.\n\n\n\n                                                E-3\n\x0cFor example, the first sentence on page 8 of your draft report states: \xe2\x80\x9cwe encountered long wait\ntimes, disconnected or dropped calls, poor sound quality, and difficulty when navigating the\ntelephone menu tree.\xe2\x80\x9d First, \xe2\x80\x9clong wait times\xe2\x80\x9d are unrelated to VoIP functionality; and is not a\nNortel customer service issue. Second, the other issues you describe are in sharp contrast to the\nresults of our Fiscal Year 2010 Field Office Telephone Service Replacement Project Survey,\nreleased in August 2010. Our study showed an overall satisfaction rate of 73 percent among\nrespondents: nearly three quarters of respondents rated service as either excellent, very good or\ngood. Our survey also indicated that there were minimal disconnects, good sound quality, and\nusers had little difficulty navigating the telephone menu tree. You can view the study at:\n\nhttp://quality.ba.ad.ssa.gov/hq/reports/reportspdf/FY_2010_FO_TSRP_Survey_Report.pdf\n\n\nRecommendation 6\n\nWe recommend that SSA continue to implement cost beneficial security controls, as needed.\n\nResponse:\n\nWe agree. As you state in the middle of page 3, \xe2\x80\x9cThe Agency documented and implemented\nappropriate security measures for the VoIP equipment.\xe2\x80\x9d We will continue these practices.\n\n\n\n\n                                               E-4\n\x0c                                                                     Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n    Brian Karpe, Director, Information Technology Audit Division\n\n    Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\nIn addition to those named above:\n\n    Harold Hunter, Auditor in Charge\n\n    Jan Kowalewski, Auditor\n\nFor additional copies of this report, please visit our Website at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-09-19045.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"